IPS Alert: Some internal hosts to (*.root-servers.net) Destination port: 53 (domain)

Kris, you might want to change your setup to DNS Best Practice.  We would need to see the warning to be able to have an idea about the 'Advanced' tab.

Cheers - Bob

Thanks Bob, I'll read DNS Best Practice.

I'm getting IPS hits on Rule ID 39866:  INDICATOR-COMPROMISE Suspicious .ml dns query.

It is always for internal servers reaching out to either Google's DNS Servers at 8.8.8.8 & 8.8.4.4, or the various hosts at *.root-servers.net

DNS Best Practice Rule #1 seems contradictory to what I read in UTM when looking at Network Services > DNS > Allowed networks.

"If you already run an internal DNS server (for example as part of Active Directory), you should leave this setting empty."

We do, Active Directory Domain Controllers.  That is why I've left it blank.

All I can tell you, Kris, is that 18 months ago, someone at Sophos thought the approach in that post was correct enough to copy it in to a KnowledgeBase article: Best practice: DNS Configuration on the Sophos UTM.

Cheers - Bob

I went through a bit of this when first setting up a UTM with AD etc.

First thing I did with the UTM was put a DNS entry and a browsing entry into the firewall rules (which is what you would do on most firewalls)

Learning from my mistakes:

1. Don't put any firewall rules in to start with

2. Add the AD DNS server hosts only the allowed networks in the DNS proxy. Set the AD fowarder to the UTM. On the UTM, enter the ISP forwarders there.

3. Add the network you want to browse the internet with into the web proxy with appropriate filtering

You are then on the net without any rules being placed in the firewall. Seems a little strange to start off with as it's a departure from the norm and you look in the wrong place for the logs when they are really in the associated proxy logs which makes sense when you look at it.

Basically, use everything internally at your disposal eg internal dns servers etc but if it has to go external, try to use the full power of the UTM ie dns, http, smtp & reverse proxies rather than put them straight on the internet via natting and firewall rules.

I went through a bit of this when first setting up a UTM with AD etc.

First thing I did with the UTM was put a DNS entry and a browsing entry into the firewall rules (which is what you would do on most firewalls)

Learning from my mistakes:

1. Don't put any firewall rules in to start with

2. Add the AD DNS server hosts only the allowed networks in the DNS proxy. Set the AD fowarder to the UTM. On the UTM, enter the ISP forwarders there.

3. Add the network you want to browse the internet with into the web proxy with appropriate filtering

You are then on the net without any rules being placed in the firewall. Seems a little strange to start off with as it's a departure from the norm and you look in the wrong place for the logs when they are really in the associated proxy logs which makes sense when you look at it.

Basically, use everything internally at your disposal eg internal dns servers etc but if it has to go external, try to use the full power of the UTM ie dns, http, smtp & reverse proxies rather than put them straight on the internet via natting and firewall rules.